Abstract: In one example, an intermediate network device sends packets that advertise a transmission control protocol (TCP) window size of zero bytes to a client device and a server device. The device, after sending the packets, receives a first zero-window probe packet from the client device including data representing a first current sequence number for a client-to-server packet flow of an established network session, and a second zero-window probe packet from the server device including data representing a second current sequence number for a server-to-client packet flow of the network session. The device also initializes a TCP state based on the first and second current sequence numbers, and acts as a TCP proxy for packets following the first zero-window probe packet of the client-to-server packet flow based on the TCP state and packets following the second zero-window probe packet of the server-to-client packet flow based on the TCP state.

Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive, at a management device, an instantiation request for a first virtual machine. The code includes code to cause the processor to identify a first compute device at a first time such that the first compute device is undersubscribed at the first time. The code includes code to cause the processor to send an instruction to instantiate the first virtual machine at the compute device, and receive a signal indicating that a boot process associated with the first virtual machine is complete and that the virtual machine is instantiated at the first compute device. The code includes code to cause the processor to send at a second time, a signal to migrate the first virtual machine from the first compute device to a second compute device in response to the boot process being complete.

Abstract: A method of sending data to a switch fabric includes assigning a destination port of an output module to a data packet based on at least one field in a first header of the data packet. A module associated with a first stage of the switch fabric is selected based on at least one field in the first header. A second header is appended to the data packet. The second header includes an identifier associated with the destination port of the output module. The data packet is sent to the module associated with the first stage. The module associated with the first stage is configured to send the data packet to a module associated with a second stage of the switch fabric based on the second header.

Abstract: In some embodiments, an apparatus comprises a switch from a set of switches associated with a stage of a multi-stage switch fabric. The switch is configured to receive a data packet having a destination address of a destination device from a source device, and then store the data packet in a queue of the switch. The switch is configured to define a message based on the queue having an available capacity less than a threshold, and include a congestion root indicator in the message if the switch is a congestion root. The switch is then configured to send the message to the source device such that the source device sends another data packet having the destination address of the destination device to another switch from the set of switches and not to the previous switch if the message includes the congestion root indicator.

Abstract: In some embodiments, an apparatus includes a switch device that can be operatively coupled to a network having a set of links. The switch device can receive at a first time, a message having a set of physical coding sublayer (PCS) lanes. The message can include an error notification within a first subset of PCS lanes from the set of PCS lanes and not within a second subset of PCS lanes from the set of PCS lanes. The error notification is associated with signal degradation of a link from the set of links, where the switch device can send a first signal in response to receiving the message at the first time. The switch device can also receive at a second time a message without the error notification, and the switch device can send a second signal in response to receiving the message at the second time.

Abstract: A device receives data, identifies a context associated with the data, and identifies a script, within the data, associated with the context. The device parses the script to identify tokens, forms nodes based on the tokens, and assembles a syntax tree using the nodes. The device renames one or more identifiers associated with the nodes and generates a normalized text, associated with the script, based on the syntax tree after renaming the one or more identifiers. The device determines whether the normalized text matches a regular expression signature and processes the data based on determining whether the normalized text matches the regular expression signature. The device processes the data by a first process when the normalized text matches the regular expression signature or by a second process, different from the first process, when the normalized text does not match the regular expression signature.

Abstract: In some embodiments, an apparatus includes a first edge device that is operatively coupled to a second edge device via a switch fabric. The first edge device and the second edge device collectively define an edge device network operating with a network-address-based protocol. The first edge device communicates with the second edge device via a multiprotocol label switching (MPLS) tunnel through the switch fabric. Furthermore, the first edge device is operatively coupled to the switch fabric such that a node of the switch fabric can be modified without coordination of the edge device network. Additionally, the first edge device is operatively coupled to the second edge device to define the edge device network such that an edge device of the edge device network can be modified without coordination of the switch fabric.

Abstract: In some embodiments, an apparatus includes an optical detector that can sample asynchronously an optical signal from an optical component that can be either an optical transmitter or an optical receiver. In such embodiments, the apparatus also includes a processor operatively coupled to the optical detector, where the processor can calculate a metric value of the optical signal without an extinction ratio of the optical signal being measured. The metric value is proportional to the extinction ratio of the optical signal. In such embodiments, the processor can define an error signal based on the metric value of the optical signal and the processor can send the error signal to the optical transmitter such that the optical transmitter modifies an output optical signal.

Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive, at a network management module, a request for data plane information associated with a set of access switches of a distributed switch. The non-transitory processor-readable medium includes code to cause the processor to send, in response to the request, an instruction to each access switch from the set of access switches such that a proxy module at each access switch accesses data plane information at at least one line card at that access switch. The non-transitory processor-readable medium includes code to cause the processor to receive, from each access switch from the set of access switches, the data plane information associated with that access switch, and then send a signal to output, on a single interface, the data plane information associated with each access switch from the set of access switches.

Abstract: In general, techniques are described for improving network path computation for requested paths that include a chain of service points that provide network services to traffic flows traversing the requested path through a network along the service chain. In some examples, a controller network device receives a request for network connectivity between a service entry point and a service exit point for a service chain for application to packet flows associated to the service chain. The device, for each pair of the service points in the particular order and using the active topology information, computes at least one end-to-end sub-path through the sub-network connecting the pair of the service points according to a constraint and computes, using the at least one end-to-end sub-path for each pair of the service points, a service path between the service entry point and the service exit point for the service chain.

Abstract: A network device may include first logic configured to count data units passing through the network device and to produce a counter value. The network device may include second logic configured to receive the counter value when an indicator is present, and to store the counter value. The network device may include third logic configured to sample the second logic, to receive the counter value, and to operate on the counter value to produce a result.

Abstract: A device is configured to store information indicating a threshold bandwidth with which a multi-lane link is permitted to operate. The device may establish the multi-lane link with a peer device. The multi-lane link may include multiple lanes used to communicate data with the peer device. The device may determine fault states for the lanes included in the multi-lane link. A fault state, for a particular lane, may indicate that the particular lane is faulty. The device may determine an available bandwidth for the multi-lane link based on the fault states for the lanes. The device may selectively terminate the multi-lane link or operate the multi-lane link at the available bandwidth based on whether the available bandwidth satisfies the threshold bandwidth.

Abstract: In one embodiment, a method includes receiving a value associated with a data packet and identifying a data set based on the value. The data set is associated with a range of values and represents routing actions. The data set is a first data set from a plurality of data sets if the value is included in the range of values associated with the first data set. The data set is a default data set if the value is not included in a range of values associated with a data set from the plurality of data sets. The method includes combining the first data set with the default data set if the first data set is identified. The method includes combining the default data set with an except data set if the default data set is identified.

Abstract: In general, techniques are described for using routing information obtained by operation of network routing protocols to dynamically generate network and cost maps for an application-layer traffic optimization (ALTO) service. For example, an ALTO server of an autonomous system (AS) receives routing information from routers of the AS by listening for routing protocol updates outputted by the routers and uses the received topology information to dynamically generate a network map of PIDs that reflects a current topology of the AS and/or of the broader network that includes the AS. Additionally, the ALTO server dynamically calculates inter-PID costs using received routing information that reflects current link metrics. The ALTO server then assembles the inter-PID costs into a cost map that the ALTO server may provide, along with the network map, to clients of the ALTO service.

Abstract: An electronic device includes an instrument panel that includes a display opening, where the instrument panel is located in a first plane; a circuit board located inside the electronic device, where the circuit board includes a display device that includes a display area, and where the display area is located in a second plane that is different from the first plane; and a waveguide that couples the display area to the display opening and guides light, and/or an image displayed in the display area, from the display area to the display opening.

Abstract: A security device may receive a request, from a client device and intended for a server device, to provide a resource. The resource may be associated with information stored by the server device. The security device may identify the request as being associated with a malicious script. The malicious script may execute on the client device and may include a script that performs one or more undesirable tasks directed to the server device. The security device may receive, from the server device, a response to the request. The response may include information associated with the requested resource. The security device may modify the response to form a modified response. The response may be modified in an attempt to cause the malicious script to experience an error. The security device may provide the modified response to the client device.

Abstract: Techniques are described for specifying and constructing multi-protocol label switching (MPLS) rings. Routers may signal membership within MPLS rings and automatically establish ring-based label switch paths (LSPs) as components of the MPLS rings for packet transport within ring networks. In one example, a router includes a processor configured to establish an MPLS ring having a plurality of ring LSPs. Each of the ring LSPs is configured to transport MPLS packets around the ring network to a different one of the routers operating as an egress router for the respective ring LSP. Moreover, each of the ring LSPs comprises a bidirectional, multipoint-to-point (MP2P) LSP for which any of the routers can operate as an ingress to source packet traffic into the ring LSP for transport to the respective egress router for the ring LSP. Separate protection paths, bypass LSPs, detours or loop-free alternatives need not be signaled.

Abstract: A system may determine to perform an internal malware detection operation to detect malware executing on a client device. The system may perform the internal malware detection operation. The internal malware detection operation may be performed locally on a particular device without requiring communication with another device. The system may modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation. The system may monitor the modified environment for a particular behavior indicative of a malware infection. The system may detect that the particular behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.

Abstract: A network filter is implemented so that filter terms that include intra-term OR conditions and converted to sub-terms that include only logical AND conditions. In one implementation, a device may include logic to receive a filter definition including one or more terms, at least some of the terms including logical OR conditions, that define how network traffic through the device is to be filtered, the logic expanding the one or more terms in the filter such that terms that contain logical OR conditions are expanded into a plurality of sub-terms that each contains only logical AND conditions. The device may further include a ternary content-addressable memory (TCAM) programmed to include a separate entry corresponding to each of the sub-terms.

Abstract: A device receives requests for content, determines requests for a same identifier from the requests for the content, and stores information associated with the determined requests in an object. The object includes a number of the determined requests, and a current time and a start time associated with the determined requests. The device also determines whether the number of the determined requests satisfies a first threshold, and determines whether a difference between the current time and the start time satisfies a second threshold. The device identifies a loop associated with another device when the number of the determined requests satisfies the first threshold and the difference satisfies the second threshold, and provides information associated with the identified loop.